Preventing or Mitigating Access Control Attacks
Start course

This course is the final module of Domain 5 of the CISSP, covering Identity and Access Management.

Learning Objectives

The objectives of this course are to provide you with an understanding of:

  • Identity as a Service
  • Integrating 3rd party identity services
  • Implementing and managing authorization mechanisms
  • Preventing or mitigating access control attacks
  • Managing the Identity and access provisioning lifecycle

Intended Audience

This course is designed for those looking to take the most in-demand information security professional certification currently available, the CISSP.


Any experience relating to information security would be advantageous, but not essential.  All topics discussed are thoroughly explained and presented in a way allowing the information to be absorbed by everyone, regardless of experience within the security field.


If you have thoughts or suggestions for this course, please contact Cloud Academy at


We're moving into section eight, in which we're going to discuss prevention or mitigation of access control attacks. First let's explore an example. A major retailer. Let's walk through the various steps in which the hackers, who successfully made this attack, succeeded. The hackers originally gained access to the retailer's network by stealing access credentials via a phishing attack of a refrigeration contractor. The electronic interaction with the retailer was limited to billing, contract submission, and project management.

Now sophisticated and prolonged attack at the retailer simply means that it took on multiple forms, attempted to succeed across multiple pathways, and it took a period of time. Now once the attackers had infiltrated the retailer's network, they were able to distribute malware to thousands of point of sale machines designed to siphon off customer data, meaning identity and credit card information. Then they set up a control server within the retailer's internal network that acted as the central repository for the stolen credit card information. And then the stolen data was later uploaded from the retailer network to an FTP server. This, of course, was Target.

Now, in protecting the enterprise, this is going to be a multi-layered coordinated defense involving people, processes, and tools that span a wide variety. This will include your identity and access management system. They have to be able to prevent authentication attacks, and they have to be able to prevent access control attacks.

Now web applications themselves are quite readily exploited through attacks on the web. These rich interfaces make it possible for anyone on the internet to reach a web application and it makes them a very appealing target for attackers who want to gain access to others' data and resources. Being that these are largely used for e-commerce types of transactions, it makes them all that much more attractive.

The access control attack simply attacks to attempt to bypass or circumvent access control methods. And access control, as we know, begins with identification and authentication.

One form that builds up towards the circumvention of these controls is access aggregation. An attacker collecting multiple pieces of non-sensitive information and then combining, or aggregating, the pieces to learn sensitive information is able then to exploit multiple types of access control systems using that information.

Reconnaissance attacks are oftentimes preceding the access aggregation type. Access aggregation, having employed reconnaissance, combines multiple tools to identify elements of a system, such as IP addresses, open ports, running services, operating systems, and in the case of subjects, attempting to access different places where different pieces of information which reveal something about the subject would be available, such as nostalgia sites, LinkedIn, Facebook, and others.

The various forms of these attacks have multiple ways in which we can protect against them. For one thing, we want to control physical access to the system. An attacker having physical access to a platform would find it easier to overcome by virtue of the physical access than they would having simply logical access. Within these systems, of course, we need to control electronic access to password files and make sure that these files are never presenting their contents anywhere in the clear. We need to create a strong password policy, this, of course, has many benefits. One of which is it makes it difficult for anyone trying to guess passwords to guess them. It also creates the condition where a brute force type of an attack can take considerably longer. We use password masking, which defeats shoulder surfing. We can, as many enterprises have done, deploy multifactor authentication, which complicates the attacker's attempt by having to proceed along two lines, possibly even requiring a physical token or other means, thus possibly defeating it outright.

In our password policy, we have to set up account lockout controls, such as a limited number of attempts which, if failed, lock the account either until it's reset by an administrator or delaying its reset for a period of time. Using last logon notification tells the legitimate user when they log in, where the last login came from and if they know, it can tell them that it got logged in from a place other than where they know they logged in from last time.

We can use vulnerability scanners to scan our systems to see what information they reveal, what information passes, what intelligence that an attacker could be gaining through it. We, of course, have to actively manage the accounts to ensure that those that come in as new employees get provisioned correctly and those that terminate get their account suspended or eliminated promptly upon their departure.

We have many audit access controls and we need to be sure that we're using them. SIEMs or audit logs need to be accessed to divulge the information and intelligence that they actually have. So we need to actively pursue these. And of course, we should not overlook the importance of educating our users about security and training them in the various techniques that we need to strengthen the function of all of these different kinds of controls.

About the Author
Learning Paths

Mr. Leo has been in Information System for 38 years, and an Information Security professional for over 36 years.  He has worked internationally as a Systems Analyst/Engineer, and as a Security and Privacy Consultant.  His past employers include IBM, St. Luke’s Episcopal Hospital, Computer Sciences Corporation, and Rockwell International.  A NASA contractor for 22 years, from 1998 to 2002 he was Director of Security Engineering and Chief Security Architect for Mission Control at the Johnson Space Center.  From 2002 to 2006 Mr. Leo was the Director of Information Systems, and Chief Information Security Officer for the Managed Care Division of the University of Texas Medical Branch in Galveston, Texas.


Upon attaining his CISSP license in 1997, Mr. Leo joined ISC2 (a professional role) as Chairman of the Curriculum Development Committee, and served in this role until 2004.   During this time, he formulated and directed the effort that produced what became and remains the standard curriculum used to train CISSP candidates worldwide.  He has maintained his professional standards as a professional educator and has since trained and certified nearly 8500 CISSP candidates since 1998, and nearly 2500 in HIPAA compliance certification since 2004.  Mr. leo is an ISC2 Certified Instructor.